Contents of the Roots

Comparison betweent the content of the root certificates generated in 2003, 2008 and 2014 (tbd). See Roots/ContentsDiscussion for the evolving debate on all questions; see Roots/Structure for the hierarchy of all roots.

Layout

Technical Layout

Field

2003

2008

2014 (tbd)

comments

Version

version 3

Required, No problems

serialNumber

0,1

2,3,4 (,5,6)

Needs to be unique within space of DN (somewhat undefined, probably CN). same as SKID?

subjectKeyIdentifier

"hash" == sha1(own public key)

non-critical extension, obligatory. See RFC 5280 for format & contents.

authorityKeyIdentifier

"hash" == sha1(signing public key), or the signing key's sKID.

non-critical extension, obligatory. See RFC 5280 for format & contents.

Validity

2033

2038

2034

Reduced validity fom 30 to 20 years to ensure cryptographis sanity

Cryptographic algorithms

PK Type

MD5 with RSA Encryption (1.2.840.113549.1.1.4)

SHA-1 with RSA Encryption (1.2.840.113549.1.1.5)

SHA-512 with RSA Encryption (1.2.840.113549.1.1.13)

Recently issued roots expiring out to 2040 use SHA-1+RSA. Windows-XP does not support (roots with) SHA2 until SP3

Size

4096 bits

4096 bits

4096 bits

good for 30 years, see BlueKrypt

Format

PKCS1

standard.

Hash

MD5

SHA1

SHA-512

basicConstraints

Critical

Critical Basic Constraints extension.

cA

true

Is a Certification Authority

pathLen

3

Max. lenght of chain between root and leaf (optional field)

keyUsage

keyCertSign and cRLSign only

Critical Extension, obligatory for roots. bits 5, 6 to be set. EV-G-AppB concurs.

CPS6.3.2 specifies 30 years for root certificates (2008 root by Y2038 bug so has 29.5 years) and 10 years for sub-root certificates. CAB Baseline Requirements for Certificates

Business Layout

Field

Name

2003

2008

2014

comments

O

Organisation

Root CA

CAcert.org - Community Certification Authority

is standard layout, see below

OU

Organisational Unit

http://www.cacert.org/

Permission to USE

cacert.org

CN

Common Name

CA Cert Signing Authority

CAcert.org

CAcert Root

Extensions

(mark which critical)

Certificate Policies

http://www.cacert.org/index.php?id=10

Permission to USE

this is the "preferred" field for policies. "use" document is the first and most important. Not critical.

Subject:serialNumber (OID: 2.5.4.5)

none

none

none

(Association Registration Number) INC9880170 for Sub-Roots. Not critical.

Serial numbers

Serial numbers issued under the 2003 Class 1 root start out with 10 (hex). The serial numbers in the range 0 - F can be considered "reserved", and the following allocations have been made:

0

Class 1 Root with MD5 signature

1

Class 3 Root with MD5 signature (old)

(E)

Class 3 Root with SHA256 signature with hash-only Authority Key Identifier (tbd)

(F)

Class 1 Root with SHA256 signature with hash-only Authority Key Identifier (tbd)

Note that the Class 3 Root with SHA256 signature (re-signed in 2011) has a serial number in the upper (non-reserved) range (0A:41:8A).

Serial numbers issued under the 2003 Class 3 root start out with 2 (hex). The serial numbers 0 and 1 can be considered "reserved", and no allocations have been made for these.


Roots/Contents (last edited 2016-03-09 15:24:08 by AlesKastner)